Vulnerabilities > Apache > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-06-19 CVE-2023-35005 Unspecified vulnerability in Apache Airflow 2.5.0/2.6.0/2.6.1
In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations. This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if `[webserver] expose_config` is set to `non-sensitive-only`), and not all uncensored values are actually sentitive. This issue affects Apache Airflow: from 2.5.0 before 2.6.2.
network
low complexity
apache
6.5
2023-06-14 CVE-2023-34149 Allocation of Resources Without Limits or Throttling vulnerability in Apache Struts
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.
network
low complexity
apache CWE-770
6.5
2023-06-12 CVE-2023-34212 Deserialization of Untrusted Data vulnerability in Apache Nifi
The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations to a set of allowed schemes. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
network
low complexity
apache CWE-502
6.5
2023-05-25 CVE-2022-46907 Cross-site Scripting vulnerability in Apache Jspwiki
A carefully crafted request on several JSPWiki plugins could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
network
low complexity
apache CWE-79
6.1
2023-05-22 CVE-2023-31101 Insecure Default Initialization of Resource vulnerability in Apache Inlong 1.5.0/1.6.0
Insecure Default Initialization of Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.5.0 through 1.6.0.
network
low complexity
apache CWE-1188
6.5
2023-05-12 CVE-2023-28936 Incorrect Comparison vulnerability in Apache Openmeetings
Attacker can access arbitrary recording/room Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0
network
low complexity
apache CWE-697
5.3
2023-05-08 CVE-2023-29247 Cross-site Scripting vulnerability in Apache Airflow
Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0.
network
low complexity
apache CWE-79
5.4
2023-05-02 CVE-2023-26268 Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions: * validate_doc_update * list * filter * filter views (using view functions as filters) * rewrite * update This doesn't affect map/reduce or search (Dreyfus) index functions. Users are recommended to upgrade to a version that is no longer affected by this issue (Apache CouchDB 3.3.2 or 3.2.3). Workaround: Avoid using design documents from untrusted sources which may attempt to cache or store data in the Javascript environment.
network
low complexity
apache ibm
5.3
2023-05-01 CVE-2022-45801 Injection vulnerability in Apache Streampark
Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability. LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input.
network
low complexity
apache CWE-74
5.4
2023-04-25 CVE-2023-22665 Expression Language Injection vulnerability in Apache Jena
There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts.
network
low complexity
apache CWE-917
5.4